Heartbleed Attack on BYOD Service Hit Insurance Giant Aviva

The Register is reporting that the Heartbleed vulnerability was leveraged in an attack last month against a BYOD service provider, allowing the attackers to potentially cause millions in damages for insurance giant Aviva after a number of the company’s fleet of employee-owned mobile devices were wiped clean.

“Aviva was using BYOD service MobileIron to manage more than 1,000 smart devices such as iPhones and iPads. On the evening of the 20 May, a hacker compromised the MobileIron admin server and posted a message to those handhelds and the email accounts, according to our source,” the report stated. “The hacker then performed a full wipe of every device and subsequently took out out the MobileIron server itself.”

Aviva provided a statement that attempted to downplay the seriousness of the event, and assured customers that no account data was compromised.

“The issue was specific to iPhones and none of Aviva’s business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users,” the statement said. “There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices.”

MobileIron also attempted to play down the incident in a statement, claiming there was no vulnerability in their systems that was exploited, and that the incident was isolated to Aviva only.

“Our investigation concluded that this incident neither resulted from nor exploited any compromise or vulnerability in MobileIron systems or software,” the company said. “All indications are that this was an isolated incident that does not represent a threat to other MobileIron customers.”

Penetration testing expert Ken Munro speculates that while MobileIron may have believed they had taken all steps necessary to patch systems vulnerable to the Heartbleed bug in OpenSSL, they may have still been open to compromise.

“Maybe it [the MobileIron server] was vulnerable, the creds were stolen, it was then patched, but the creds weren’t changed? Then the creds were used some time later,” Munro said. “The other possibility is that another filtering/proxying device in front of the MobileIron server was vulnerable, and creds were stolen from that instead.” he added.